Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Communication Models in Web Service Compositions Marco Pistore University of Trento Joint work with Raman Kazhamiakin.

Published byMaria Clark Modified over 10 years ago

Similar presentations

Presentation on theme: "Analysis of Communication Models in Web Service Compositions Marco Pistore University of Trento Joint work with Raman Kazhamiakin."— Presentation transcript:

1 Analysis of Communication Models in Web Service Compositions Marco Pistore pistore@dit.unitn.it University of Trento Joint work with Raman Kazhamiakin and Luca Santuari pistore@dit.unitn.it

2 24.05.2006WWW'06 - Edinburgh Context ASTRO projectASTRO project service compositionsProvide tools that support the design and execution of service compositions WS-BPELComponent services are stateful and long-running (e.g., WS-BPEL services) formal verificationOne of the techniques provided by ASTRO is formal verification correctness of the composition behaviorFormal check of the correctness of the composition behavior InteractionInteraction mechanisms are complex and implementation-dependent Complex queues and message management mechanisms Scenarios with message overpasses and losses are possible Diversity of implementations communication modelsNecessity to define an appropriate formal communication models Tradeoff between expressiveness and complexity of the analysis 1

3 24.05.2006WWW'06 - Edinburgh Motivating example 3

4 24.05.2006WWW'06 - Edinburgh Motivating example: Virtual Travel Agency Provide combined flight and hotel booking service HotelFlightIntegrate separate Hotel and Flight booking services BPELParticipants are represented with their BPEL specifications VTA User Hotel Flight Request Ack/NAck Offer/NA Ticket Flight Request Flight Offer/NA Flight Ack/Nack Flight Ticket Hotel Request Hotel Offer/NA Hotel Ack/Nack Hotel Ticket 3

5 24.05.2006WWW'06 - Edinburgh VTA Processes 4 User VTA Hotel Flight

6 24.05.2006WWW'06 - Edinburgh Composition Properties synchronizableThe composition is synchronizable At any moment of time only one component emits a message The receiver is immediately ready to consume the message Synchronous communication model synchronizeComponents synchronize on shared actions Efficient reasoning techniques Universally used in verification tools for web service compositions adequateThe synchronous communication model is adequate for synchronizable compositions The presence of queues in the implementation does not add new behaviors Not applicable to the wide range of systems cancellationE.g. cancellation scenarios 5

7 24.05.2006WWW'06 - Edinburgh VTA Processes – Cancellation invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (Ticket) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.Ticket) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) 6 User VTA Flight

8 24.05.2006WWW'06 - Edinburgh VTA Processes – Cancellation Deadlock? invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (Ticket) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.Ticket) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) 6 User VTA Flight

9 24.05.2006WWW'06 - Edinburgh VTA Processes – Cancellation Deadlock? No! invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (Ticket) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.Ticket) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) 6 User VTA Flight

10 24.05.2006WWW'06 - Edinburgh invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (Ticket) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.Ticket) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) VTA Processes – Cancellation 6 User VTA Flight

11 24.05.2006WWW'06 - Edinburgh Composition Properties The synchronous communication model is violated The concurrent emission of messages is possible in the same time point: F.Cancel and F.Ticket The real execution is correct non-blockingEngines support non-blocking message emissions and message queues In the scenario, all message are eventually consumed, and cancellation is performed correctly adequate communication modelAn adequate communication model is needed to formally verify this scenario! AsynchronousorderedAsynchronous ordered communication model timeEmission and reception of a message do not have to happen at the same time orderThe order of message emission and the order of message reception between two processes should be the same (no message overpass) Intuitively: an ordered queue between each pair of processes 7

12 24.05.2006WWW'06 - Edinburgh VTA Processes – Complex Cancellation invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (NO) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.NO) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) receive (Ticket) receive (F.Ticket) invoke (NO) invoke (F.NO) 8 User VTA Flight

13 24.05.2006WWW'06 - Edinburgh VTA Processes – Complex Cancellation invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (NO) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.NO) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) receive (Ticket) receive (F.Ticket) invoke (NO) invoke (F.NO) Deadlock? No! 8 User VTA Flight

14 24.05.2006WWW'06 - Edinburgh VTA Processes – Complex Cancellation invoke (Ack) receive (Ticket) on message (Ack) invoke (F.Ack) receive (F.Ack) on message (F.Cancel) on alarm invoke (F.Ticket) case (No Cancel) case (Cancel) invoke (Cancel) on message (YES) on message (NO) on message (Cancel) invoke (F.Cancel) on message (F.YES) on message (F.NO) invoke (YES) invoke (Ticket)... receive (F.Cancel) invoke (F.YES) receive (Ticket) receive (F.Ticket) invoke (NO) invoke (F.NO) 8 User VTA Flight

15 24.05.2006WWW'06 - Edinburgh Composition Properties 9 The ordered communication model is violated The order of emissions of messages F.Ticket and F.NO is different from the order of receptions The real execution is be correct Engines support message overpasses In the scenario, all message are eventually consumed, and cancellation is performed correctly adequate communication modelAlso in this case, an adequate communication model is needed to model and formally verify this scenario! Asynchronous unorderedAsynchronous unordered communication model No restrictions on the message order Intuitively, one queue for each message type (very similar to real implementations)

16 24.05.2006WWW'06 - Edinburgh Our approach set ofcommunication modelsDefine a set of communication models Different levels of complexity Different interaction mechanisms Common framework adequateGiven a certain composition scenario determine an adequate communication model Represents all real executions of the composition Preserves behavioral properties IncrementalIncremental analysis process From simpler to complex communication models Check if the communication model is adequate w.r.t. the scenario If yes, perform the formal verification against this model 2

17 24.05.2006WWW'06 - Edinburgh Our approach: formal definitions Three main ingredients: Component services are formally modeled as State Transition Systems The modalities of the communications are formalized as a Communication Model The composite behavior of the component services according to a specific communication model is formally described as a Global State Transition System 2

18 24.05.2006WWW'06 - Edinburgh From BPEL to STS State Transition SystemState Transition System Σ = S,S 0,I,O,R where statesS – finite set of states initialS 0 – set of initial states inputI – set of input actions outputO – set of output actions transition – transition relation receive (F.Request) case (Not Available) case (Available) invoke (F.NA) invoke (F.Offer) on message (F.NAck) on message (F.Ack) invoke (F.Ticket) PROCESS Flight STATES {Start, switch_IsAvailable, OUT_FNA, SUCCESSS,…} INPUT FRequest, FNAck, FAck OUTPUT FNA, FOffer, FTicket INIT state = Start TRANS Start – [IN FRequest] -> switch_IsAvailable switch_IsAvailable – [TAU] -> OUT_FNA switch_IsAvailable – [TAU] -> OUT_FOffer … 11

19 24.05.2006WWW'06 - Edinburgh Communication Model A communication model Δ is defined by a set of queuesQ 1, Q 2, …, Q n where each queue Q i has associated: A set of messages M i A (finite or infinite) bound B i on the messages it can contain Synchronous communication model: A single queue with bound 1 Ordered asynchronous communication model: One unbounded queue for (the messages exchanged between) each pair of services Unordered asynchronous communication model: One unbounded queue for each message type 12

20 24.05.2006WWW'06 - Edinburgh Communication Model A communication model Δ is defined by a set of queuesQ 1, Q 2, …, Q n where each queue Q i has associated: A set of messages M i A (finite or infinite) bound B i on the messages it can contain Other communication models are possible: One queue per process (locally ordered model): see paper Mixed synchronous and asynchronous communications (e.g., manage only tickets/cancellations as asynchronous communications) Mixed bounded/unbounded queues … 12

21 24.05.2006WWW'06 - Edinburgh Global State Transition System 12 A Global State Transition System (GSTS): defines the composite behavior of the system. is parametric wrt a communication model Δ A GSTS is a tuple G = GS,GS 0,A,T, where: GS are the global states; each state has the form gs = (, ), where: s i is the state of the i-th component STS q j describes the content of the j-th queue GS 0 are the initial global states A are the input-output actions T GS x A x GS is the transition relation

22 24.05.2006WWW'06 - Edinburgh GSTS: transitions 12 The transition relation T GS x A x GS is defined as follows: If the i-th STS performs an output: update the status of the STS add the emitted message to the associated queue If the i-th STS performs an input: consume a message from the associated queue (the queue has to be non-empty!) update the status of the STS If the i-th STS performs a TAU action: update the status of the STS

23 24.05.2006WWW'06 - Edinburgh Translation Implementation W1....WnW1....Wn Component Services BPEL2STS Translation Σ1....ΣnΣ1....Σn STS Composition STS to NuSMV/Spin Global STS Communication Model NuSMV/Spin Validity Analysis Validity Counterexample Property Counterexample VERIFICATION Valid Verification Properties 16

24 24.05.2006WWW'06 - Edinburgh Experiments Instances of VTA Case Study Different communication models Different verification properties: deadlock, LTL properties (F User.state = SUCCESS) ((F Hotel.state = SUCCESS) & F (Flight.state = SUCCESS)) 17 Example 1Sync.0.5 sec1 sec (Valid)0.5 sec Example 2Sync.2 sec4 sec (Invalid) Ordered4 sec3 sec (Valid)3 sec2 sec Example 3Sync.4 sec5 sec (Invalid) Ordered8 sec7 sec (Invalid) Unordered11 sec6 sec (Valid)5 sec4 sec InstanceModelTranslationValidityDeadlockLTL

25 24.05.2006WWW'06 - Edinburgh Conclusions unified frameworkAn unified framework for the analysis of Web service compositions under different communication models is presented validation verificationThe framework allows for validation of the composition against communication model and for verification of the valid composition toolA prototype tool based on the framework is implemented Future works: dataBetter support for data (application of knowledge level and abstraction based reasoning techniques) ConformanceWS-BPELWS-CDLConformance problem: verify a WS-BPEL process against a WS-CDL choreography specification 18

26 24.05.2006WWW'06 - Edinburgh Any question ? 19

Download ppt "Analysis of Communication Models in Web Service Compositions Marco Pistore University of Trento Joint work with Raman Kazhamiakin."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:

Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:
A-Priori Verification of Web Services with Abduction Marco Alberti 1 Federico Chesani 2 Marco Gavanelli 1 Evelina Lamma 1 Paola Mello 2 Marco Montali 2.

A-Priori Verification of Web Services with Abduction Marco Alberti 1 Federico Chesani 2 Marco Gavanelli 1 Evelina Lamma 1 Paola Mello 2 Marco Montali 2.
Fakultät für informatik informatik 12 technische universität dortmund SDL Peter Marwedel TU Dortmund, Informatik 12 Graphics: © Alexandra Nolte, Gesine.

Fakultät für informatik informatik 12 technische universität dortmund SDL Peter Marwedel TU Dortmund, Informatik 12 Graphics: © Alexandra Nolte, Gesine.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Requirements Diagrams With UML Models

Requirements Diagrams With UML Models
1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
OOAD – Dr. A. Alghamdi Mastering Object-Oriented Analysis and Design with UML Module 3: Requirements Overview Module 3 - Requirements Overview.

OOAD – Dr. A. Alghamdi Mastering Object-Oriented Analysis and Design with UML Module 3: Requirements Overview Module 3 - Requirements Overview.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 31 Slide 1 Service-centric Software Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 31 Slide 1 Service-centric Software Engineering.
Toward an Agent-Based and Context- Oriented Approach for Web Services Composition IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 17, NO. 5,

Toward an Agent-Based and Context- Oriented Approach for Web Services Composition IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 17, NO. 5,
Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.

Vasileios Germanos 1, Stefan Haar 2, Victor Khomenko 1, and Stefan Schwoon 2 1 School of Computing Science, Newcastle University, UK 2 INRIA & LSV (ENS.
1 Chapter 4 The while loop and boolean operators Samuel Marateck ©2010.

1 Chapter 4 The while loop and boolean operators Samuel Marateck ©2010.
Executional Architecture

Executional Architecture
Summer SOC July 2 nd – July 7 th Aniketos platform: Design of a trustworthy composite service 1.

Summer SOC July 2 nd – July 7 th Aniketos platform: Design of a trustworthy composite service 1.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 31 Slide 1 Service-centric Software Engineering 1.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 31 Slide 1 Service-centric Software Engineering 1.
Modeling Main issues: What do we want to build How do we write this down.

Modeling Main issues: What do we want to build How do we write this down.

Similar presentations

Ads by Google